Module: ActionController::RequestForgeryProtection::ClassMethods
- Defined in:
- actionpack/lib/action_controller/metal/request_forgery_protection.rb
Instance Method Summary collapse
-
#protect_from_forgery(options = {}) ⇒ Object
Turn on request forgery protection.
Instance Method Details
#protect_from_forgery(options = {}) ⇒ Object
Turn on request forgery protection. Bear in mind that only non-GET, HTML/JavaScript requests are checked.
class FooController < ApplicationController
protect_from_forgery except: :index
You can disable csrf protection on controller-by-controller basis:
skip_before_action :verify_authenticity_token
It can also be disabled for specific controller actions:
skip_before_action :verify_authenticity_token, except: [:create]
Valid Options:
-
:only/:except
- Passed to thebefore_action
call. Set which actions are verified. -
:with
- Set the method to handle unverified request.
Valid unverified request handling methods are:
-
:exception
- Raises ActionController::InvalidAuthenticityToken exception. -
:reset_session
- Resets the session. -
:null_session
- Provides an empty session during request but doesn’t reset it completely. Used as default if:with
option is not specified.
88 89 90 91 92 |
# File 'actionpack/lib/action_controller/metal/request_forgery_protection.rb', line 88 def protect_from_forgery( = {}) self.forgery_protection_strategy = protection_method_class([:with] || :null_session) self.request_forgery_protection_token ||= :authenticity_token prepend_before_action :verify_authenticity_token, end |